How do I allow outbound VPN connections?

[PhilThis]

Please help a newbie? I did a search but could not find a thread specific to this... If someone could point me in the right direction, it would be most appreciated.

I can't seem to get internal clients to connect to outside VPN servers using PPTP.

Here is my access list..

access-list acl_out0 permit icmp any any
access-list acl_out0 permit tcp any host x.x.x.x eq smtp
access-list acl_out0 permit tcp any host x.x.x.x eq www
access-list acl_out0 permit any any tcp eq 1723
access-list acl_out0 permit gre any any eq 47

applied as

access-group acl_out0 in interface outside0

Internal clients are be NAT'd to the outside

Any help would be most appreciated.

 

[yizhar]

HI.

> access-list acl_out0 permit gre any any eq 47
It should be just :
> access-list acl_out0 permit gre any any

Outbound PPTP will not work via PAT, because in that case the pix will not be able to forward incoming GRE packets.
You either need to have enough registered addresses and use NAT (many to many), or use PAT for most of the workstations, and the few workstations that need the outbound VPN will have a reserved ip address with STATIC translation.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[PhilThis]

Thanks Yizhar... I kinda suspected, what you said, but wasn't sure... I did setup a small range of public IPs for NAT and a single IP for PAT. The public ip's were quickly used up. I increased the range and all is well. Thanks again.

P.